Shadow IT: Every Company's 3 Hidden Security Risks

Companies can squash the proliferation of shadow IT if they listen to employees, create transparent guidelines, and encourage an open discussion about the balance between security and productivity.

Twelve years with the FBI and I was ready for anything: espionage, massive cyberattacks, Tom Clancy-esque zero-day exploits. I saw some of that, of course, but more often I discovered and rediscovered that it's the simple things that most often cause catastrophic problems — simple things that plague every company.

For example, midway through my stint as a dedicated cyber agent, we responded to a data breach at a well-known company. Private information, much of it highly sensitive, had been dumped into a repository on the open Internet. Was it the result of state-sponsored actors? Sophisticated activist groups? A brute-force login attack?

No. An employee had placed sensitive data in a free cloud storage account, and run-of-the-mill data thieves had simply posted it online. Despite the fact that this storage provider had a high-profile breach only months earlier, the employee didn't change the account password. A million-dollar problem could have been avoided with a 60-second password reset. This is a great example of the three risks I see in most companies.

Who: Any employee can collect data. With a credit card and Internet access, any individual member of the staff can run critical company functions with or without permission. Most have good intentions. Some don't.

What: Employees can collect any kind of sensitive data. Customer and company data are sensitive and can be immensely valuable. Without guidance, employees can just as easily collect and store Social Security numbers as coffee preferences. But if the Social Security numbers get hacked, you could be on the hook for millions in recovery costs.

Where: Data are invisible and inaccessible to company managers. In the new GDPR world, data that doesn't live in enterprise-controlled systems is much more difficult to retrieve. Worse yet, data in private accounts follow the owner when she leaves the company. What if she's taking a list of your 100 best clients?

It's no surprise that as many as 80% of employees use unauthorized services. What is surprising is that companies have known about this threat for a very long time, yet they're still failing to address it. According to Gartner, "Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year."

When employees use platforms that have not been screened or authorized by a company's technology and security team, they're wading into what's known as "shadow IT." And shadow IT makes it much easier for hackers to steal your company's data. For example, employees will always try to increase productivity in any way they can. They'll rely on unsanctioned cloud-based file storage, survey software, or messaging apps if those apps will save them a few minutes. But this kind of behavior opens up the holes that can cost a company millions of dollars and priceless consumer trust. A 2017 study by the Ponemon Institute found that the average cost of a breach is $3.62 million. There's nothing productive about that.

Chat-Room LurkersAnother true story: During an investigation into a network intrusion at a large company, the network engineering team was using a free chat tool to communicate as they fought to regain control of their network. They had not told anyone about this tool, and they had been using it for months. In fact, it became their primary channel as they chased the attackers in their network. Do you see where this is going?

These engineers hadn't involved their infosec team in vetting the tool, and it was set up insecurely. The attackers had joined the very chat group the engineers were using to try to kick them off, and they were tracking the team's every move. We discovered the intruders only by identifying every person in the chat group and isolating several imposters. After that, we moved quickly to a different communications channel.

In their rush to be productive, the engineers made the problem worse with a sloppy setup of a free tool. The company spent a lot more time and money remediating the breach, and the data loss was much larger than it could have been. They had to spend millions to inform customers and to provide credit protection for those customers.

Squashing Shadow ITHow can your company avoid horror stories like these? Here are four ways to bring security priorities and employee behavior together:

Policy and communication. Companies need a well-defined policy on the use of unsanctioned services and the protection of company data. But policy won't accomplish anything if it isn't communicated to employees. Offer regular training, including explanations of the rationale behind the policy and real-world risks.

Open-minded onboarding. New employees often want to use the productivity tools that were helpful at their previous jobs, so onboarding must include the data security policy. But also use that moment to take new suggestions into account.

What you don't know can hurt you. Survey employees regularly on the resources they're using to illuminate security risks before a breach occurs. If enough employees need a solution, IT should work to find an approved vendor that can securely fill that need.

Partners, not police. Foster an ongoing conversation between employees and your company's security/IT departments about how to balance productivity with security. If your security team reflexively says "no" whenever employees want productivity-boosting tools, employees will just stop asking and use the tools anyway.

Companies can squash shadow IT risk, but they have to be willing to listen to their employees, create transparent guidelines, and encourage an open discussion on the best ways to be both productive and secure.

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.

Adam Marrè, CISSP, GCIA, GCIH, is a Qualtrics information security operations leader and former FBI cyber special agent. Adam has more than 12 years experience leading large-scale computer intrusion investigations and consulting as a cybercrime ... View Full Bio

Shadow IT happens when policies and procedures prevent employees from doing their work. The case of the insecure chat app in the article is a perfect example. Unsanctioned FTP clients and back door local user names and passwords are also symptoms of this.

This happens when senior management refuses to budget for the tools needed to secure Identity and Access Management in a way that lets employees work efficiently or when they don't buy into those intitiatives. Finally indadaquate IT and Security staff, or undertrained staff also feeds this evil weed.

If you make it hard or impossible for employees to work efficiently, or fail to factor your kludgy (read often "budget friendly") infrastructure into performance goals, people will find a way to work efficiently. And why wouldn't they? If I have to get spreadsheets or reports distributed to my supply chain vendors, and that is a poor, manual process that takes a lot of time, you bet I will find a quicker way. Nobody EVER got a raise for following policy that requires a slow, inefficient process and no review ever says, this employee did less, but they did it securely so give them a bigger raise than the ones who cheated but were more productive.

If you want your people to adher to secure processes, make those processes MORE efficient than a hacked up back door.

Start incentivizing good behavior instead of bad, and you will be amazed how secure things become.

Fine article from a veteran cybersecurity professional about an aspect that doesn't get enough attention. Call it shadow IT, or something else, it comes down to data governance.

Where Adam has "What you don't know can hurt you.", I'd add: You can't protect what you don't know you have. You can't protect data unless you know you have it, and know where it's stored - EVERYWHERE it's stored: every copy, every version, every device, every service, every B2B partner, even the data which can be reconstituted from disparate stores and sources, even the bio-memory of your knowledge workers, past and present. Too many places? Next time, limit the places to where it's needed.

For vast amounts of data, it's too late to regain control (control which was an illusion to begin with); but new data is generated all the time - you do have a chance to a better job of data governance with that. However, if you don't have an understanding of the fundamental nature of data and information, you're bound to repeat the old mistakes even if you find new ways (or new ways find you), to do that. Forget the idea of just protecting your "sensitive" data; in time, someone will find a way to make use of any data you leave unprotected to get at the crown jewels.

You have to start somewhere, start with this: don't put any data in front of anyone or on anything that doesn't need that specific data to do a specific job, and only while they are doing that specific task (not whenever they feel like it). I mean a specific person, not a job title. Make sure your authentication and authorization always resolves to an entity - not a type.

Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possib...

Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.

In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.